This invention related in general to data processing devices and more specifically to an apparatus and methods for allowing a processing device to utilize flexible security when receiving information downloads.
Processing devices often have embedded programs or firmware stored in non-volatile memory. The firmware is executed by an embedded processor to achieve the desired functionality. Conventional high security applications have relied upon read only memory (ROM) to store the firmware.
Lower security processing devices have begun storing firmware in a reprogrammable memory device. The ability to reprogram the processing device is desired because this feature allows efficient debugging of the firmware. Those skilled in the art appreciate that firmware development typically requires many revisions. Reprogrammable memory avoids the need to discard an integrated circuit which includes the memory each time the firmware revision changes. Furthermore, the ability to reprogram the memory allows firmware upgrades of the processing device in the field as new bugs are fixed or as new features are added.
Although reprogrammable memory is readily available, the ability to reprogram a high security processing device is problematic. In the cable television industry, for example, there are risks that a xe2x80x9ccable piratexe2x80x9d could use the reprogrammability feature to disable any security features designed to thwart pirates by replacing the firmware. Accordingly, the reprogrammability aspect is desired, but is viewed as impractical for security reasons.
Conventional high security processing devices use an integral ROM which is masked into an application specific integrated circuit (ASIC) at the time of manufacture. Masked ROMs add little to the cost of the ASIC and cannot be changed by pirates in order to defeat the security.
However, the firmware cannot be changed once the ASIC is produced. Accordingly, all debugging of the firmware takes place on emulators and prototype ASIC devices before production ASICs are manufactured. Use of emulators is problematic because they are typically much slower than a production ASIC and they are often not exact replicas of the production ASIC. With regard to debugging with a prototype ASIC device, they are expensive and a number of prototype ASICs could be required to iteratively debug a design. It can take weeks to produce another iteration of prototype ASIC which could cause serious delay to a development program. As those skilled in the art appreciate, firmware debugging of masked ROMs is a slow and expensive proposition.
In summary, it appears desirable to develop a processing device which is reprogrammable, but not susceptible to later attack by pirates. This device should reduce the design cycle for producing the ASIC by allowing debug of the firmware after ASIC production. Furthermore, the device should allow field upgrades of the firmware as new bugs are found or as new features are added.
According to the invention, an apparatus and methods allow for a processing device to utilize flexible security when receiving information downloads. In a first embodiment, a method stores information within a processing device. The method receives a download via a first input path which includes a first breakable link and stores the download within the processing device. At some point, a key is also stored within the processing device. A ciphertext download is received via a second input path which includes a second breakable link. The ciphertext download is decrypted utilizing the key and the resulting plaintext download is stored within the processing device.
In another embodiment, a method stores information within a processing device utilizing two paths. First plaintext information is loaded through a first download path extending from outside the processing device to memory, whereafter, the first plaintext information is stored in memory. At some point, a key is stored within the processing device. To enhance security, the first download path is disabled. Ciphertext information is loaded through a second download path, whereupon the ciphertext information is decrypted with the key to produce second plaintext information.
In yet another embodiment, a processing device includes a download port, a decryption engine, a memory, a first download path, a second download path, and a mechanism for disabling the first download path. The download port interfaces with outside of the processing device. The first download path extends between the download port and memory and the second download path extends between the download port and a ciphertext input of the decryption engine. The mechanism for disabling the first download path prevents digital data from passing along that path.